Tokenization replaces a cardholder's PAN (primary account number) with a token. By using tokens, merchants do not have to store credit card numbers. Tokenization is also part of the PCC-DSI compliant structure.
Tokenization is not the same as encryption. While both provide security, tokenization is a substitution, whereas encryption is a transformation. Tokenization is also one-way — it cannot be reversed, engineered, or undone. Encrypted strings can be decrypted.
When PANs are tokenized, the resulting string still looks like a credit card number. It contains all of the important components, including the BIN, sequence number, and check digit.
Tokens are issued by a tokenization service provider (TSP) for online purchases or at the point-of-sale terminal for in-store purchases. The merchant does not issue them. No card numbers will be stolen if the merchant's software platform is hacked. Since credit card numbers are not stored with the merchant, their PCI liability is reduced.
Here's how a tokenized transaction works. A customer uses their mobile phone, watch, or other digital device to make a purchase. This device does not transmit their card number to the merchant. Instead, it transmits a token. Once the merchant has the token, they communicate with the TSP to complete the transaction.
Tokenization may sound like a bulletproof solution against payment fraud. Unfortunately, no scheme is bulletproof. Last year, $450 million in global losses were attributed to tokenization fraud, according to Visa. Fraudsters have found ways to send illegitimate tokens to TSPs, resulting in valid transactions. This mainly occurs online as it is more difficult to spoof tokens at an in-store point-of-sale terminal.
Visa's New Tokenization Fraud Fighting Tool
Visa has created a new program called Provisioning Intelligence to fight token fraud. Like many other credit card fraud fighting schemes, it will use artificial intelligence to analyze patterns for potentially fraudulent tokens. A score will be generated based on the likelihood that a token is fraudulent. The higher the score, the higher the probability that the token is fraudulent.
While Visa's program is a step in the right direction of fighting token fraud and will no doubt reduce losses, criminals will continue to be one step ahead. This will keep credit card processors on their toes, looking for the next innovation to help reduce potential payment fraud.